version 1.12, 1996/11/23 19:10:43 |
version 1.13, 1996/11/30 17:50:58 |
|
|
#!/bin/sh - |
#!/bin/sh - |
# |
# |
# $OpenBSD$ |
# $OpenBSD$ |
|
# from: @(#)security 8.1 (Berkeley) 6/9/93 |
# |
# |
|
|
PATH=/sbin:/usr/sbin:/bin:/usr/bin |
PATH=/sbin:/usr/sbin:/bin:/usr/bin |
|
|
umask 077 |
umask 077 |
|
|
LIST=$DIR/_secure5 |
LIST=$DIR/_secure5 |
OUTPUT=$DIR/_secure6 |
OUTPUT=$DIR/_secure6 |
|
|
|
|
if ! mkdir $DIR ; then |
if ! mkdir $DIR ; then |
printf "tmp directory %s already exists, looks like:\n" $DIR |
printf "tmp directory %s already exists, looks like:\n" $DIR |
ls -alF $DIR |
ls -alF $DIR |
|
|
if ($1 ~ /^[+-].*$/) |
if ($1 ~ /^[+-].*$/) |
next; |
next; |
if ($1 == "") |
if ($1 == "") |
printf("Line %d has an empty login field.\n",NR); |
printf("Line %d has an empty login field.\n", NR); |
else if ($1 !~ /^[A-Za-z0-9][A-Za-z0-9_-]*$/) |
else if ($1 !~ /^[A-Za-z0-9][A-Za-z0-9_-]*$/) |
printf("Login %s has non-alphanumeric characters.\n", $1); |
printf("Login %s has non-alphanumeric characters.\n", $1); |
if (length($1) > 8) |
if (length($1) > 8) |
|
|
next; |
next; |
if (NF != 4) |
if (NF != 4) |
printf("Line %d has the wrong number of fields.\n", NR); |
printf("Line %d has the wrong number of fields.\n", NR); |
if ($1 !~ /^[A-za-z0-9]*$/) |
if ($1 !~ /^[A-za-z0-9][A-za-z0-9_-]*$/) |
printf("Group %s has non-alphanumeric characters.\n", $1); |
printf("Group %s has non-alphanumeric characters.\n", $1); |
if (length($1) > 8) |
if (length($1) > 8) |
printf("Group %s has more than 8 characters.\n", $1); |
printf("Group %s has more than 8 characters.\n", $1); |
|
|
done |
done |
if [ $umaskset = "no" -o -s $OUTPUT ] ; then |
if [ $umaskset = "no" -o -s $OUTPUT ] ; then |
printf "\nChecking root csh paths, umask values:\n$list\n" |
printf "\nChecking root csh paths, umask values:\n$list\n" |
if [ -s $OUTPUT ]; then |
if [ -s $OUTPUT ] ; then |
cat $OUTPUT |
cat $OUTPUT |
fi |
fi |
if [ $umaskset = "no" ] ; then |
if [ $umaskset = "no" ] ; then |
|
|
done |
done |
if [ $umaskset = "no" -o -s $OUTPUT ] ; then |
if [ $umaskset = "no" -o -s $OUTPUT ] ; then |
printf "\nChecking root sh paths, umask values:\n$list\n" |
printf "\nChecking root sh paths, umask values:\n$list\n" |
if [ -s $OUTPUT ]; then |
if [ -s $OUTPUT ] ; then |
cat $OUTPUT |
cat $OUTPUT |
fi |
fi |
if [ $umaskset = "no" ] ; then |
if [ $umaskset = "no" ] ; then |
|
|
for f in $list ; do |
for f in $list ; do |
if [ -s $f ] ; then |
if [ -s $f ] ; then |
awk '{ |
awk '{ |
if ($0 ~ /^\+@.*$/ ) |
if ($0 ~ /^\+@.*$/) |
next; |
next; |
if ($0 ~ /^\+.*$/ ) |
if ($0 ~ /^\+.*$/) |
printf("\nPlus sign in %s file.\n", FILENAME); |
printf("\nPlus sign in %s file.\n", FILENAME); |
}' $f |
}' $f |
fi |
fi |
done |
done |
|
|
# Check for special users with .rhosts/.shosts files. Only root should |
# Check for special users with .rhosts/.shosts files. Only root |
# have .rhosts/.shosts files. Also, .rhosts/.shosts files |
# should have .rhosts/.shosts files. Also, .rhosts/.shosts |
# should not have plus signs. |
# files should not have plus signs. |
awk -F: '$1 != "root" && $1 !~ /^[+-].*$/ && \ |
awk -F: '$1 != "root" && $1 !~ /^[+-].*$/ && \ |
($3 < 100 || $1 == "ftp" || $1 == "uucp") \ |
($3 < 100 || $1 == "ftp" || $1 == "uucp") \ |
{ print $1 " " $6 }' /etc/passwd | |
{ print $1 " " $6 }' /etc/passwd | |
|
|
awk -F: '{ print $1 " " $6 }' /etc/passwd | \ |
awk -F: '{ print $1 " " $6 }' /etc/passwd | \ |
while read uid homedir; do |
while read uid homedir; do |
for j in .rhosts .shosts; do |
for j in .rhosts .shosts; do |
if [ -f ${homedir}/$j ] ; then |
if [ -s ${homedir}/$j ] ; then |
awk '{ |
awk '{ |
if ($0 ~ /^+@.*$/ ) |
if ($0 ~ /^+@.*$/ ) |
next; |
next; |
if ($0 ~ /^\+[ ]*$/ ) |
if ($0 ~ /^\+[ ]*$/ ) |
printf("%s has + sign in it.\n", |
printf("%s has + sign in it.\n", |
FILENAME); |
FILENAME); |
}' ${homedir}/$j |
}' ${homedir}/$j |
fi |
fi |
done |
done |
|
|
|
|
# Check home directories. Directories should not be owned by someone else |
# Check home directories. Directories should not be owned by someone else |
# or writeable. |
# or writeable. |
awk -F: '{ if ( $1 !~ /^[+-].*$/ ) print $1 " " $6 }' /etc/passwd | \ |
awk -F: '{ if ($1 !~ /^[+-].*$/) print $1 " " $6 }' /etc/passwd | \ |
while read uid homedir; do |
while read uid homedir; do |
if [ -d ${homedir}/ ] ; then |
if [ -d ${homedir}/ ] ; then |
file=`ls -ldgT ${homedir}` |
file=`ls -ldgT ${homedir}` |
|
|
done | |
done | |
awk '$1 != $5 && $5 != "root" \ |
awk '$1 != $5 && $5 != "root" \ |
{ print "user " $1 " " $2 " file is owned by " $5 } |
{ print "user " $1 " " $2 " file is owned by " $5 } |
|
$3 ~ /^-...r/ \ |
|
{ print "user " $1 " " $2 " file is group readable" } |
$3 ~ /^-......r/ \ |
$3 ~ /^-......r/ \ |
{ print "user " $1 " " $2 " file is other readable" } |
{ print "user " $1 " " $2 " file is other readable" } |
$3 ~ /^-....w/ \ |
$3 ~ /^-....w/ \ |
|
|
cat $OUTPUT |
cat $OUTPUT |
fi |
fi |
|
|
if [ -f /etc/exports ]; then |
# File systems should not be globally exported. |
# File systems should not be globally exported. |
if [ -s /etc/exports ] ; then |
awk '{ |
awk '{ |
if ($1 ~ /^#/) |
if ($1 ~ /^#/) |
next; |
|
readonly = 0; |
|
for (i = 2; i <= NF; ++i) { |
|
if ($i ~ /-ro/) |
|
readonly = 1; |
|
else if ($i !~ /^-/) |
|
next; |
next; |
} |
readonly = 0; |
if (readonly) |
for (i = 2; i <= NF; ++i) { |
print "File system " $1 " globally exported, read-only." |
if ($i ~ /-ro/) |
else |
readonly = 1; |
print "File system " $1 " globally exported, read-write." |
else if ($i !~ /^-/) |
}' < /etc/exports > $OUTPUT |
next; |
if [ -s $OUTPUT ] ; then |
} |
printf "\nChecking for globally exported file systems.\n" |
if (readonly) |
cat $OUTPUT |
print "File system " $1 " globally exported, read-only." |
fi |
else |
|
print "File system " $1 " globally exported, read-write." |
|
}' < /etc/exports > $OUTPUT |
|
if [ -s $OUTPUT ] ; then |
|
printf "\nChecking for globally exported file systems.\n" |
|
cat $OUTPUT |
|
fi |
fi |
fi |
|
|
# Display any changes in setuid/setgid files and devices. |
# Display any changes in setuid/setgid files and devices. |
pending="\nChecking setuid/setgid files and devices:\n" |
pending="\nChecking setuid/setgid files and devices:\n" |
(find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \ |
(find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \ |
-o -fstype procfs \) -a -prune -o \ |
-o -fstype procfs \) -a -prune -o \ |
-type f -a \( -perm -u+s -o -perm -g+s \) -ls -o \ |
-type f -a \( -perm -u+s -o -perm -g+s \) -print0 -o \ |
! -type d -a ! -type f -a ! -type l -a ! -type s -ls | \ |
! -type d -a ! -type f -a ! -type l -a ! -type s -print0 | \ |
sort > $LIST) 2> $OUTPUT |
xargs -0 ls -ldgT | sort +9 > $LIST) 2> $OUTPUT |
|
|
# Display any errors that occurred during system file walk. |
# Display any errors that occurred during system file walk. |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
|
|
fi |
fi |
|
|
# Display any changes in the setuid/setgid file list. |
# Display any changes in the setuid/setgid file list. |
egrep -v '^ *[0-9]+ +[0-9]+ +[bc]' $LIST > $TMP1 |
egrep -v '^[bc]' $LIST > $TMP1 |
if [ -s $TMP1 ] ; then |
if [ -s $TMP1 ] ; then |
# Check to make sure uudecode isn't setuid. |
# Check to make sure uudecode isn't setuid. |
if grep -w uudecode $TMP1 > /dev/null ; then |
if grep -w uudecode $TMP1 > /dev/null ; then |
|
|
: |
: |
else |
else |
> $TMP2 |
> $TMP2 |
join -112 -212 -v2 $CUR $TMP1 > $OUTPUT |
join -110 -210 -v2 $CUR $TMP1 > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "${pending}Setuid additions:\n" |
printf "${pending}Setuid additions:\n" |
pending= |
pending= |
|
|
printf "\n" |
printf "\n" |
fi |
fi |
|
|
join -112 -212 -v1 $CUR $TMP1 > $OUTPUT |
join -110 -210 -v1 $CUR $TMP1 > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "${pending}Setuid deletions:\n" |
printf "${pending}Setuid deletions:\n" |
pending= |
pending= |
|
|
printf "\n" |
printf "\n" |
fi |
fi |
|
|
sort +11 $TMP2 $CUR $TMP1 | \ |
sort +9 $TMP2 $CUR $TMP1 | \ |
sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT |
sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "${pending}Setuid changes:\n" |
printf "${pending}Setuid changes:\n" |
|
|
# Check for block and character disk devices that are readable or writeable |
# Check for block and character disk devices that are readable or writeable |
# or not owned by root.operator. |
# or not owned by root.operator. |
>$TMP1 |
>$TMP1 |
DISKLIST="dk fd hd hk hp jb kra ra rb rd rl rx xd rz sd up wd vnd ccd" |
DISKLIST="ccd dk fd hd hk hp jb kra ra rb rd rl rx rz sd up vnd wd xd" |
for i in $DISKLIST; do |
for i in $DISKLIST; do |
egrep "^b.*/${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 |
egrep "^b.*/${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 |
egrep "^c.*/r${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 |
egrep "^c.*/r${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 |
|
|
# the hacker can modify the tree specification to match the replaced binary. |
# the hacker can modify the tree specification to match the replaced binary. |
# For details on really protecting yourself against modified binaries, see |
# For details on really protecting yourself against modified binaries, see |
# the mtree(8) manual page. |
# the mtree(8) manual page. |
if [ -d /etc/mtree ]; then |
if [ -d /etc/mtree ] ; then |
cd /etc/mtree |
cd /etc/mtree |
mtree -e -p / -f /etc/mtree/special > $OUTPUT |
mtree -e -p / -f /etc/mtree/special > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
|
|
[ $file = '*.secure' ] && continue |
[ $file = '*.secure' ] && continue |
tree=`sed -n -e '3s/.* //p' -e 3q $file` |
tree=`sed -n -e '3s/.* //p' -e 3q $file` |
mtree -f $file -p $tree > $TMP1 |
mtree -f $file -p $tree > $TMP1 |
if [ -s $TMP1 ]; then |
if [ -s $TMP1 ] ; then |
printf "\nChecking $tree:\n" >> $OUTPUT |
printf "\nChecking $tree:\n" >> $OUTPUT |
cat $TMP1 >> $OUTPUT |
cat $TMP1 >> $OUTPUT |
fi |
fi |
|
|
for file in `cat /etc/changelist`; do |
for file in `cat /etc/changelist`; do |
CUR=/var/backups/`basename $file`.current |
CUR=/var/backups/`basename $file`.current |
BACK=/var/backups/`basename $file`.backup |
BACK=/var/backups/`basename $file`.backup |
if [ -s $file ]; then |
if [ -s $file ] ; then |
if [ -s $CUR ] ; then |
if [ -s $CUR ] ; then |
diff $CUR $file > $OUTPUT |
diff $CUR $file > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |